Episode 5

Overview

This week we look at some details of the 43 unique CVEs addressed across the supported Ubuntu releases and talk about the recently announced Extended Security Maintenance support for Ubuntu 14.04 Trusty Tahr.

This week in Ubuntu Security Updates

43 unique CVEs addressed across the various supported releases of Ubuntu (Bionic, Xenial, Trusty and Precise ESM)

[USN-3762-1, USN-3762-2] Linux kernel vulnerabilities

• 2 CVEs addressed in Bionic and corresponding HWE kernel for Xenial
  • CVE-2017-13695
  • CVE-2018-1118
• Both information disclosure vulnerabilities which could allow exposure of kernel addresses
  • Not directly an issue but could be used to defeat ASLR when combined with another vulnerability

[USN-3763-1] Linux kernel vulnerability

• 1 CVEs addressed in Precise ESM
  • CVE-2018-5390
• SegmentSmack (see episode 0)

[LSN-0043-1] Linux kernel vulnerability

• Livepatch to fix multiple vulnerabilities fixed in previous kernel package updates

[USN-3764-1] Zsh vulnerabilities

• 3 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-1100
  • CVE-2018-13259
  • CVE-2018-0502
• 2 issues in shebang / hashbang handling
  • shebang lines longer than 64 bytes truncated - could execute wrong interpreter
  • mishandling of some particular formatted shebang lines which could execute interpreter from second line of file
• Stack based buffer-overflow allowing code execution in the context of a different user

[USN-3747-2] OpenJDK 10 regression

• 4 CVEs addressed in Bionic
  • CVE-2018-2972
  • CVE-2018-2952
  • CVE-2018-2826
  • CVE-2018-2825

[USN-3761-2, USN-3761-3] Firefox regressions

• 5 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-12383
  • CVE-2018-12378
  • CVE-2018-12377
  • CVE-2018-12376
  • CVE-2018-12375
• Previous update to latest firefox resulted in issues due to language packs missing (and hence missing spellcheck dictionaries) and use of wrong search provider

[USN-3765-1, USN-3765-2] curl vulnerability

• 1 CVEs addressed in Trusty, Xenial, Bionic and Precise ESM
  • CVE-2018-14618
• Similar to previous CVE-2017-8816 - integer overflow in calculations during NTLM authentication could allow heap buffer overflow and hence RCE
• Uses the password length in this calculation (which is supplied by the attacker) so relatively easy to trigger

[USN-3722-5] ClamAV regression

• 2 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-0361
  • CVE-2018-0360

[USN-3766-1, USN-3766-2] PHP vulnerabilities

• 3 CVEs addressed in Trusty, Xenial, Bionic and Precise ESM
  • CVE-2018-14883
  • CVE-2018-14851
  • CVE-2015-9253
• Integer overflows in JPEG and EXIF handlers leading to out-of-bounds reads and hence crash - DoS
• php-fpm (FastCGI process manager) - alternative FastCGI implementation for PHP - could cause DoS since didn’t restart child processes correctly - then consume CPU and disk space (via logging) - only fixed in Bionic for now

[USN-3722-6] ClamAV vulnerabilities

• 2 CVEs addressed in Precise ESM
  • CVE-2018-0361
  • CVE-2018-0360

[USN-3767-1, USN-3767-2] GLib vulnerabilities

• 2 CVEs addressed in Trusty, Xenial, Bionic and Precise ESM
  • CVE-2018-16429
  • CVE-2018-16428
• Issues with markup parsing

[USN-3768-1] Ghostscript vulnerabilities

• 16 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-16802
  • CVE-2018-16585
  • CVE-2018-16543
  • CVE-2018-16542
  • CVE-2018-16541
  • CVE-2018-16540
  • CVE-2018-16539
  • CVE-2018-16513
  • CVE-2018-16511
  • CVE-2018-16510
  • CVE-2018-16509
  • CVE-2018-15911
  • CVE-2018-15910
  • CVE-2018-15909
  • CVE-2018-15908
  • CVE-2018-11645
• Ghostscript is used to process Postscript (and other formats) - PS is Turing Complete so in general is unsafe
• Hence Ghostscript includes a sandbox (-dSAFER) to try and prevent issues with handling of untrusted files
• Tavis Ormandy previously found a number of issues in the SAFER sandbox which allowed escape from it and execution of commands (ie. CVE-2016-7977 etc.)
• Recently discovered more - including ability to execute arbitrary code.

[USN-3769-1] Bind vulnerability

• 1 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-5740
• Trigger assertion failure from specific input from remote server to cause crash and hence DoS
  • In deny-answer-aliases feature which is not enabled by default so not so high impact

[USN-3770-1, USN-3770-2] Little CMS vulnerabilities

• 2 CVEs addressed in Trusty, Xenial, Bionic and Precise ESM
  • CVE-2018-16435
  • CVE-2016-10165
• 1 CVEs addressed in Precise ESM only
  • CVE-2013-4276
• Multiple issues in handling of ICC colour profiles (integer overflow leading to stack and heap buffer overflows on reads an writes)
• Little CMS often used in webapps which do image processing - in this case allows remote DoS or possibly remote code execution

Goings on in Ubuntu Security Community

Ubuntu 14.04 ESM Announced

• Extended Security Maintenance for Trusty 14.04 past the official EOL
• Security updates for the kernel and the most widely used packages in main
• https://blog.ubuntu.com/2018/09/19/extended-security-maintenance-ubuntu-14-04-trusty-tahr

Hiring

Ubuntu Security Manager

• https://boards.greenhouse.io/canonical/jobs/1278287

Ubuntu Security Engineer

• https://boards.greenhouse.io/canonical/jobs/1158266

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter